Archives For DerbyCon

Following the same technique I used in the previous flag, I identified 10.10.146.74 as running FTP and allowing an anonymous login.  Since I don’t know any slick script-fu to mirror an ftp server via the command line, I simply used FileZilla to download the entire contents of the FTP server to my local computer for inspection.

You can find those files here.

I grepped through all these files to find the flag ‘Goats34Milk’ in AUTOEXEC.BAT, worth 20 points.

There was a lot going on with the files on this FTP server.  For starters, there was source code spread throughout the server with copious amounts of the word ‘flag’ in the code.  I suspect there might have possibly been another flag hidden in all this fodder, but it would have taken someone more dedicated than I to page through all these results to find one.  I started working in that direction but eventually gave up in search for easier flags.

Continue Reading…

I knew the approach to this CTF would be different from those in the past based on the instructions.

In years past, the directions instructed you on which devices you were NOT to touch and which devices were the targets.  This year, participants were simply directed which devices were off-limits.  These off-limit devices were identified either by subnet or IP Address.

The first thing I did was copy the contents of these addresses/subnets into a file I would use as my “exclusion” file during any network or vulnerability scans I would run.  This was the contents of my “exclude.txt” file:

172.16.0.0/12
10.10.148.0/24
10.10.146.1
10.10.146.62
10.10.146.100
10.10.150.9
10.10.160.9

From here, I kicked off a series of nmap scans.  I started a rather large one using the command:

nmap -sn --excludefile /root/Desktop/CTF/exclude.txt -oG /root/Desktop/CTF/nmap_10.10.0.0.txt 10.10.0.0/16

But between the network latency/downtime, it became pretty apparent that it would take forever, if at all, for this scan to finish — so I broke it up into smaller chunks.

Continue Reading…

Removing the negative-point component to CTF flags turned out to be both a blessing and a curse.

In the past, flags were (mostly) obvious and always followed a “flag=” tag.  That made them easy to find with some REGEX magic.  But it also sucked to get docked points if you accidentally entered the same flag twice, left some whitespace in your submission or otherwise submitted a non-flag.

Along with no more negative point flags came some unexpected changes.  Such as not-so-obvious flags.  Flags that were tagged as flags, but not in the expected format.  Think “Fl.4gISwhatever,” which was a big departure from “flag=”.  That also made flags a little harder to recognize for what they were if you weren’t paying attention.

The first thing I did upon registering as a participant for CTF was throw a few flags at the scoreboard to see if any stuck.  Surprisingly (or not), password was worth 20 points.  I tried a few more potential flags like “DerbyCon” and the like since I had to wait 60 seconds in-between submissions.

Continue Reading…

DerbyConCTF Files

October 3, 2014 — Leave a comment

Unlike last year, I preserved all the files I downloaded during this year’s DerbyConCTF. I know this isn’t everything there was available on the network and some new systems were brought online after I stopped playing. These files contain the nmap, nikto (and some other) scans along with any content I was able to easily download (mostly talking http and ftp here).

I’m sure there are probably a few hidden flags in these files waiting to be discovered and when I have time to get back around to it, I’ll sift through it to see if I can positively identify any more. I’m welcome to any hints you might like to drop in the meantime. 🙂

Next week I should be able to get around to finally describing some of these flags, so hang in there if you’re following along.
Continue Reading…

Here is an index to the Capture The Flag (CTF) flags I found during DerbyCon 4.0 Family Rootz:

No Flag Points Explanation
1 password 20 Link
2 MayUrG0atsBeFr33 20 Link
3 Goats34Milk 20 Link
4 ML5jVuOCTvMhaG70p0BL 20 Link
5 HopeSolo 40 Link
6 MudFlaps 80 Link
7 ImpossibleToHerd 20 Link
8 lambSkinCoat 40 Link
9 mossyoakcamo 30 Link
10 pirateslife4me 100 Link
11 time2seethebirds 100 Link
12 TheFappening 100 Link
13 SourceCodeTheft 100 (Not yet published)
14 PurpleMooCow 500 (Not yet published)

I will update this table with links to each of the flags as I blog about them.

I hope this blog series:
1. Will help hesitant hackers participate in a future CTF by giving them a starting point of where and how to look for flags.
2. Will produce a conversation with fellow CTF participants that stumble across the blog about what their experiences were with this particular CTF.
3. Will produce a conversation about the flags I overlooked, techniques/tools I need to become proficient at and pointers on how I can be a better hacker and CTF player.

Last weekend I attended DerbyCon, a Hacker Conference in Louisville Kentucky.  DerbyCon is a relatively young conference (compared to others such as DEF CON) and this is the fourth consecutive year it’s been held.  I have attended every year.  Every year that I have attended, I have participated in the Capture The Flag (CTF) event.

A few of my readers won’t know what CTF is, so I’ll take a moment to explain it.  CTF is an event in which hackers compete to find “flags” on vulnerable networks or systems.  CTFs vary in type but the basic premise is that you any means necessary (within the stated rules) to locate flags which are turned in for points.  Flags can be obtained any number of ways but typically involve locating them hidden in certain locations or files.  The more difficult the flag is to obtain, the more it’s worth in points.

I competed in my very first CTF event my first year at DerbyCon.  Ever since, I have become complete immersed in playing CTF while at the con.  To put that in perspective, the last two years I attended the con, I did not see a single talk outside the opening and closing ceremonies.  Simply because the CTF hasn’t started or has ended during those talks.  Any talks I see are usually after they’ve been posted to YouTube at a later date.

Continue Reading…